Wednesday, August 22, 2007

PHP is such a widely used scripting language for dynamic website development that I've often been puzzled by the lack of a really effective security framework. Most developers, I suppose, wind up developing their own classes for sanitising user submitted data (to guard against sql injection and cross site scripting) and do things like tokenising forms to protect against automated attacks.

Core Security have released GRASP - which seems a bit of a cumbersome approach at first sight - you have to patch your PHP source code tree and recompile - which rules out the immediate application in a production environment. But it's worth playing with on a development machine. And, of course, trying to break it.